A bastion host is an AWS instance that sits in a public subnet and acts as a "jump server" to allow remote access to other instances in private subnets via SSH or RDP. When configured properly with security groups and network ACLs, the bastion host acts as a secure bridge between the internet and private instances. A bastion host is needed if remote access to private instances over the public internet is required. The bastion host should only be used for that purpose and be locked down with rules restricting inbound traffic to SSH/RDP from authorized IP addresses and outbound traffic only to the private instances.